Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
Reviewed
-
Description
Background:
Currently HBase ACLs can be retrieved based on the namespace or table name only. There is no direct API available to retrieve the permissions based on the namespace, table name, column family and column qualifier for specific user.
Client has to write application logic in multiple steps to retrieve ACLs based on table name, column name and column qualifier for specific user.
HBase should enhance AccessControlClient APIs to simplyfy this.
AccessControlClient API should be extended with following APIs,
- To retrieve permissions based on the namespace, table name, column family and column qualifier for specific user.
Permissions can be retrieved based on the following inputs,
- Namespace/Table (already available)
- Namespace/Table + UserName
- Table + CF
- Table + CF + UserName
- Table + CF + CQ
- Table + CF + CQ + UserName
Scope of retrieving permission will be as follows,
- Same as existing
2. To validate whether a user is allowed to perform specified operations on a particular table, will be useful to check user privilege instead of getting ACD during client operation.
User validation can be performed based on following inputs,
- Table + CF + CQ + UserName + Actions
Scope of validating user privilege,
User can perform self check without any special privilege but ADMIN privilege will be required to perform check for other users.
For example, suppose there are two users "userA" & "userB" then there can be below scenarios,
- when userA want to check whether userA have privilege to perform mentioned actions
> userA don't need ADMIN privilege, as it's a self query.
- when userA want to check whether userB have privilege to perform mentioned actions,
> userA must have ADMIN or superuser privilege, as it's trying to query for other user.